New pfsense user, trying to switch from smoothwall, questions

falcon_cmh

OK so I have been using smoothwall for a while now.  After doing some research pfsense looks like a better alternative.  I am a software developer but by no means do I know a lot about networking.  My first goal is to get pfsense to work behind my Comcast business modem.  I also use smoothwall to assign static ips via mac addresses, and to take incoming requests and route to certain servers like my mail and web server.  So my first issue is I am not following how to setup my interfaces to even get pfsense to allow the WAN traffic thru properly.  On smoothwall they had green (LAN) and red interfaces (WAN).  My settings were as follows:
LAN:
IP Address - 192.168.1.x
Netmask - 255.255.255.0
WAN:
Static
IP Address - 1 of my 5 ip address Comcast assigned me
Netmask - fixed from Comcast for the above ip address
Default Gateway - an additional ip to the 5 Comcast gave me
Primary DNS - same as default gateway

How do I configure pfsense with these same settings.  I am confused on how to accomplish this.  I see the interfaces and gateways but I do not see in either where I can set these same settings.

I doubt this makes any difference but I am hosting pfsense in a VM on a Windows Server 2012 R2.  I have 2 virtual switches: LAN and WAN.  Are there preferred memory, drive, and processor settings/requirements for hosting pfsense in a VM?  I used 2 virtual process, 4 MB memory, and 4 GB storage for smoothwall.  I tried the same with pfsense and it installed but it complained about the drive size with the autoinstall.

Currently smoothwall is running, I have not shut it down yet and it shows up as a gateway by default in pfsense.  I know I will need to shut it down first so pfsense can takeover the gateway and DHCP server functions.  But I need to understand the interfaces and gateway configurations first.

Also if there are any other settings that need tweaked for the Comcast business modem to work properly with pfsense, smoothwall didn't need any special tweaks, those would also be appreciated.

Any help here is greatly appreciated.

falcon_cmh

OK I got everything installed and working except NAT.  I added my NAT addresses and no incoming ports are open.  I.e. my mail isn't being received.  Everything out is fine.  I used an outside ping service to verify this.  This makes no sense to me the definitions are very straight forward.  I can ping the mail server internally.  One thing I did notice is my external ip is different than smoothwall when I have DHCP set.  It is x.x.x.6 instead of x.x.x.1.  So my dns for my domain may need reset too?  Any help/thoughts on either of these issues would be great.  I did use the ips instead of the domain when testing the ports.

johnpoz

"I added my NAT addresses and no incoming ports are open"

You did what exactly - did you setup a 1:1 for your different public IPs or did you just setup port forwarding with the 1 public IP you setup.  So you setup your other IPs out of your scope as vips?

falcon_cmh

I have attached what I did, I just setup NAT rules for each port. I tried all 6 of my ips none worked for any port.  I just need a single ip to work, my x.x.x.1 ip.  But it would be nice to know how t set the other ips up too so if I need them in the future for additional domains.

johnpoz

so what is your wan IP?  And you have no rules on your wan that would block the rule added automatically when you did the port forward?

I would suggest you run through the troubleshooting guide to find out what you did wrong

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

falcon_cmh

I have no rules on the modem firewall, everything is disabled.  I tried the trouble shooting to no avail.  I read somewhere the Comcast modem needs to be set to bridged mode but I really do not want to have to call them to do that.  Smoothwall works w/o that, i.e. it works now w/o any modem changes.  I would like to get pfsense working as is so I can decide which firewall I am sticking with.  I suspect it has something to do with the fact I am dhcping the WAN.  I tried static on the WAN and set my ip and gateway but nothing works then in or out.

falcon_cmh

OK so I left the pfsense VM DHCP on the WAN.  I configured the Comcast business modem to turn on dmz and I allowed the dhcp ipaddress pfsense WAN got out on the DMZ.  Then I configured 1:1 NAT for my x.x.x.1 ip to my internal ip.  Then I opened up ports, 110, 143, and 25 in the firewall for that internal ip.  That works.  Thankfully some obscure post in ExpertsExchange a dude out there mentioned exposing the pfsense vm in the DMZ.  Now I can only reach my Comcast modem on the box that hosts the pfsense VM.  But at least this works w/o changing the modem to bridged.  If I decide to stay with pfsense I might call Comcast and have them switch my modem to bridged and then try that too not sure though.  I wonder which configuration is best DMZ or bridged?

johnpoz

Dude what is your pfsense wan IP??  Is it public or private?  does it start with 192.168.x.x, 10.x.x.x, 172.16-31.x.x?  Where did I ask about your modem firewall rules??

When you do a port forward it will add a firewall rule to allow it, but it puts it at the bottom its quite possible that your blocking the traffic before it gets to that rule with something like pfblocker or something, or some other manually created rule?

You tried the troubleshooting?  What does that mean??  So you read it and just had no clue or you actually walked through all the steps - if so where is it failing?  For example 5 says fire up packet capture is the traffic actually getting to your pfsense wan even?

edit:
"mentioned exposing the pfsense vm in the DMZ"

So you were behind a nat??  So how exactly you doing multiple IPs.. Thought you had a business connection.. What model of isp device do you have???  Why would you setup 1:1 and not just port forward?  Are you planning on using your other IPs?  Or is your pfsense still behind a NAT??

falcon_cmh

pfsense wanip is dhcped and is a 10.x.x.x ip.
You didn't ask about my modem firewall rules but I thought it was pertinent.
when I did the port forward rule it did create the rule and it will work but the issue is when I dhcp my WAN pfsense my ip is x.x.x.6 and I need it to be x.x.x.1.  When I set the WAN to static and pick x.x.x.1 neither in or out work.  That is where I think the Comcast modem has to be bridged to work.  And why I ended up putting the pfsense vm in the DMZ with DHCP, I tried static in the DMZ to no avail as well.
I read the steps and followed through them when the pfsense was not in the DMZ.  Traffic was not getting thru in.
I have no desire currently to do multiple ips but in the future I might is why I switched to the virtual IP.

Either way with the port mapping getting the x.x.x.6 ip or the virtual ip x.x.x.1 in the DMZ it works.  The only problem is now my port 80 doesn't go through on the x.x.x.6 (I did move pfsense to port 81) and because my web server goes to a different server I cannot use the virtual ip.

So now my biggest issue is getting my web server working and getting my ip to be x.x.x.1 instead of x.x.x.6 using port mapping and not virtual ip.

I do have a Comcast business connection and modem with 5 ips the 6th ip they setup on the modem itself.  The business modem firewall nat is shutoff.  the business modem is a virtual bride right now.  You have to call Comcast to get them to set it in physical bridge mode and I do not want to do that.  smoothwall works with trhe modem as a virtual bridge and I want to run side by side comparisons of the firewall to insure performance etc. is good before I pick pfsense long term.